to_epoch - Learn more about the Cortex Query Language to_epoch() function that converts a timestamp value for a field or function to the Unix epoch timestamp format. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-11-14
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language to_epoch() function that converts a timestamp value for a field or function to the Unix epoch timestamp format.

Syntax
to_epoch (<timestamp>, <time unit>)
Description

The to_epoch() function converts a timestamp value for a particular field or function to the Unix epoch timestamp format. This function requires a <time unit> value, which indicates whether the integer value for the Unix epoch timestamp format represents seconds (default), milliseconds, or microseconds. If no <time unit> is configured, the default is used. Supported values are:

  • SECONDS

  • MILLIS

  • MICROS

Example

Returns a maximum of 100 xdr_data records with the events of the _time field, which includes a timestamp field in the Unix epoch format called ts. The ts field contains the equivalent Unix epoch values in milliseconds for the timestamps listed in the _time field.

dataset = xdr_data
| filter _time != null
| alter ts = to_epoch(_time, "MILLIS")
| fields ts
| limit 100